CVE-2022-29248 — HIGH (8.0)

Q: How severe is CVE-2022-29248?

CVE-2022-29248 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29248?

Check the references section above for vendor advisories and patch information. Affected products include: Guzzlephp Guzzle, Drupal Drupal, Debian Debian Linux.

Vulnerability Description

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Guzzlephp	Guzzle	< 6.5.6
Drupal	Drupal	>= 9.2.0, < 9.2.20
Debian	Debian Linux	11.0

Related Weaknesses (CWE)

CWE-565 CWE-200

References

https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdabPatchThird Party Advisory
https://github.com/guzzle/guzzle/pull/3018Issue TrackingPatchThird Party Advisory
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3Third Party Advisory
https://www.debian.org/security/2022/dsa-5246Third Party Advisory
https://www.drupal.org/sa-core-2022-010PatchThird Party Advisory
https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdabPatchThird Party Advisory
https://github.com/guzzle/guzzle/pull/3018Issue TrackingPatchThird Party Advisory
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3Third Party Advisory
https://www.debian.org/security/2022/dsa-5246Third Party Advisory
https://www.drupal.org/sa-core-2022-010PatchThird Party Advisory

FAQ

What is CVE-2022-29248?

CVE-2022-29248 is a vulnerability with a CVSS score of 8.0 (HIGH). Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the d...

How severe is CVE-2022-29248?

CVE-2022-29248 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29248?

Check the references section above for vendor advisories and patch information. Affected products include: Guzzlephp Guzzle, Drupal Drupal, Debian Debian Linux.